[Tickets #5753] Minimize lacking PGP forward secrecy with webmail

bugs at bugs.horde.org bugs at bugs.horde.org
Thu Sep 27 16:00:28 UTC 2007


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=5753
-----------------------------------------------------------------------
 Ticket             | 5753
 Created By         | libre at immerda.ch
 Summary            | Minimize lacking PGP forward secrecy with webmail
 Queue              | Horde Base
 Version            | 3.1.4
 Type               | Enhancement
 State              | New
 Priority           | 3. High
 Owners             | 
-----------------------------------------------------------------------


libre at immerda.ch (2007-09-27 09:00) wrote:

PGP lacks forward secrecy, i.e. once a secret key with corresponding
passphrase is known to an attacker, all prior and all future mails can be
decrypted if intercepted. Webmail applications are especially vulnerable to
keylogger (or looking over ones shoulders) attacks because they are often
used in insecure environments. Horde lets you export the secret key thus
one successfull attacks suffices to compromise all prios and all future
mails. I therefore suggest to omit this "feature" (exporting of the secret
key) in future versions.

I think, it is not really important for users to export their secret key.
If they wish to have a copy on their harddisk, they should have a secure
place anyway and thus probably have the possibility to generate a key pair
on this system and import it into Horde afterwards. If they want to change
to a local mailsystem, they should generate a new key anyway if it was
possible to export the key without their knowledge beforehand.



More information about the bugs mailing list